<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 TRANSITIONAL//EN">
<HTML>
<HEAD>
<META HTTP-EQUIV="Content-Type" CONTENT="text/html; CHARSET=UTF-8">
<META NAME="GENERATOR" CONTENT="GtkHTML/3.3.2">
</HEAD>
<BODY>
Hello, <BR>
<BR>
Description of problem is as follows:<BR>
<BR>
<BLOCKQUOTE>
I have a email server package called Scalix, which when installed came with openldap. On the same server i am also running Stunnel, which is already successfully ssl wrapping imap,pop, and smtp protocols. The ldap directory is very handy for an address book internally but we also have people that will be outside the corporate lan and to provide the directory securely would be desirable so i added the lines in the stunnel.conf to wrap ldap as well. I can see the stunnel daemon listening on port 636. But when i try to connect from any ssl aware mail client, such as evolution, or entourage, i get an error indicating failure to authenticate, which i know is not really the problem because the ldap directory is anonymous read access enabled. Debug logging gives more information about what is occurring, here is the conversion when attempting to connect:<BR>
<BR>
2005.04.28 12:15:05 LOG5[27926:1076812720]: ldaps connected from 71.4.124.200:43012<BR>
2005.04.28 12:15:05 LOG7[27926:1076812720]: SSL state (accept): before/accept initialization<BR>
2005.04.28 12:15:05 LOG7[27926:1076812720]: waitforsocket: FD=14, DIR=read<BR>
2005.04.28 12:15:05 LOG7[27926:1076812720]: waitforsocket: ok<BR>
2005.04.28 12:15:05 LOG3[27926:1076812720]: SSL_accept: 140760FC: error:140760FC:SSL routines:SSL23_GET_CLIENT_HELLO:unknown protocol<BR>
2005.04.28 12:15:05 LOG7[27926:1076812720]: ldaps finished (6 left)
<BR>
<BR>
Searching the archive is saw someone suggesting that either the ldap server or ldap client was not compiled with ssl support. I know the email clients i am trying to connect with are ssl compatible and maybe someone can set me straight here but i didn't think that the ldap server had to be ssl aware and that was the advantage of stunnel is that it can wrap services that are do not have ssl support? At any rate i believe the ldap server does have ssl support becuase i can see the binary omslapd (provided by Scalix, preceding "om" is there because Scalix is based on HP's Open Mail) links to the ssl library using the ldd command, here is the output, note the bolded line:<BR>
<BR>
msp1intmx01:~ # ldd /opt/scalix/bin/omslapd linux-gate.so.1 => (0xffffe000)<BR>
libom_er.so => /opt/scalix/lib/libom_er.so (0x40018000)<BR>
libom_ext.so => /opt/scalix/lib/libom_ext.so (0x40023000)<BR>
libom_ldapth.so => /opt/scalix/lib/libom_ldapth.so (0x4002d000)<BR>
libom_mdc.so => /opt/scalix/lib/libom_mdc.so (0x4004f000)<BR>
libom_omldap.so => /opt/scalix/lib/libom_omldap.so (0x4005c000)<BR>
libom_os.so => /opt/scalix/lib/libom_os.so (0x40079000)<BR>
libom_sdl.so => /opt/scalix/lib/libom_sdl.so (0x40087000)<BR>
libom_str.so => /opt/scalix/lib/libom_str.so (0x4008e000)<BR>
libpthread.so.0 => /lib/tls/libpthread.so.0 (0x400a9000)<BR>
libc.so.6 => /lib/tls/libc.so.6 (0x400b9000)<BR>
libom_cvc.so => /opt/scalix/lib/libom_cvc.so (0x401ce000)<BR>
libom_go.so => /opt/scalix/lib/libom_go.so (0x401e2000)<BR>
libom_t61.so => /opt/scalix/lib/libom_t61.so (0x401e6000)<BR>
libom_tfl.so => /opt/scalix/lib/libom_tfl.so (0x401eb000)<BR>
libom_gcl.so => /opt/scalix/lib/libom_gcl.so (0x401f1000)<BR>
libom_ccs.so => /opt/scalix/lib/libom_ccs.so (0x401f5000)<BR>
libdl.so.2 => /lib/libdl.so.2 (0x40203000)<BR>
libom_cl.so => /opt/scalix/lib/libom_cl.so (0x40206000)<BR>
libom_cust.so => /opt/scalix/lib/libom_cust.so (0x40215000)<BR>
libom_da.so => /opt/scalix/lib/libom_da.so (0x4021c000)<BR>
libom_dit.so => /opt/scalix/lib/libom_dit.so (0x40244000)<BR>
libom_dr.so => /opt/scalix/lib/libom_dr.so (0x4024a000)<BR>
libom_hash.so => /opt/scalix/lib/libom_hash.so (0x4027b000)<BR>
libom_lng.so => /opt/scalix/lib/libom_lng.so (0x4027e000)<BR>
libom_mes.so => /opt/scalix/lib/libom_mes.so (0x40282000)<BR>
libom_mim.so => /opt/scalix/lib/libom_mim.so (0x4028a000)<BR>
libom_ml.so => /opt/scalix/lib/libom_ml.so (0x4029d000)<BR>
libom_pam.so => /opt/scalix/lib/libom_pam.so (0x402a6000)<BR>
libom_pwdl.so => /opt/scalix/lib/libom_pwdl.so (0x402b4000)<BR>
libom_ul.so => /opt/scalix/lib/libom_ul.so (0x402b9000)<BR>
libom_uni.so => /opt/scalix/lib/libom_uni.so (0x402cc000)<BR>
libom_im.so => /opt/scalix/lib/libom_im.so (0x402e3000)<BR>
libom_sfl.so => /opt/scalix/lib/libom_sfl.so (0x402ee000)<BR>
libcrypt.so.1 => /lib/libcrypt.so.1 (0x4030c000)<BR>
libom_sml.so => /opt/scalix/lib/libom_sml.so (0x4033d000)<BR>
libom_tfo.so => /opt/scalix/lib/libom_tfo.so (0x40340000)<BR>
libom_enc.so => /opt/scalix/lib/libom_enc.so (0x40343000)<BR>
libom_lkf.so => /opt/scalix/lib/libom_lkf.so (0x40347000)<BR>
libom_nm.so => /opt/scalix/lib/libom_nm.so (0x4034b000)<BR>
/lib/ld-linux.so.2 => /lib/ld-linux.so.2 (0x40000000)<BR>
libom_uscv.so => /opt/scalix/lib/libom_uscv.so (0x40352000)<BR>
libom_fstr.so => /opt/scalix/lib/libom_fstr.so (0x4035a000)<BR>
libom_gen.so => /opt/scalix/lib/libom_gen.so (0x4035c000)<BR>
libom_xdse.so => /opt/scalix/lib/libom_xdse.so (0x40362000)<BR>
libom_acl.so => /opt/scalix/lib/libom_acl.so (0x40365000)<BR>
libom_cdl.so => /opt/scalix/lib/libom_cdl.so (0x4036c000)<BR>
libom_drsc.so => /opt/scalix/lib/libom_drsc.so (0x40374000)<BR>
libom_inet.so => /opt/scalix/lib/libom_inet.so (0x40379000)<BR>
libom_vi.so => /opt/scalix/lib/libom_vi.so (0x40388000)<BR>
libom_akt.so => /opt/scalix/lib/libom_akt.so (0x40399000)<BR>
libom_q.so => /opt/scalix/lib/libom_q.so (0x403a1000)<BR>
libom_date.so => /opt/scalix/lib/libom_date.so (0x403a6000)<BR>
libom_ssn.so => /opt/scalix/lib/libom_ssn.so (0x403a8000)<BR>
libom_orname.so => /opt/scalix/lib/libom_orname.so (0x403ac000)<BR>
libom_culb.so => /opt/scalix/lib/libom_culb.so (0x403af000)<BR>
libom_dstring.so => /opt/scalix/lib/libom_dstring.so (0x403b3000)<BR>
<B>libssl.so.0.9.7 => /usr/lib/libssl.so.0.9.7 (0x403b6000)</B><BR>
libom_ufcv.so => /opt/scalix/lib/libom_ufcv.so (0x403e7000)<BR>
libom_vista.so => /opt/scalix/lib/libom_vista.so (0x4040d000)<BR>
libom_rda.so => /opt/scalix/lib/libom_rda.so (0x40439000)<BR>
libom_rdudp.so => /opt/scalix/lib/libom_rdudp.so (0x4043e000)<BR>
libom_rsl.so => /opt/scalix/lib/libom_rsl.so (0x40444000)<BR>
libom_mp.so => /opt/scalix/lib/libom_mp.so (0x40456000)<BR>
libom_mpl.so => /opt/scalix/lib/libom_mpl.so (0x4045e000)<BR>
libom_msg.so => /opt/scalix/lib/libom_msg.so (0x40466000)<BR>
libom_qml.so => /opt/scalix/lib/libom_qml.so (0x4046c000)<BR>
libom_tf.so => /opt/scalix/lib/libom_tf.so (0x40471000)<BR>
libcrypto.so.0.9.7 => /usr/lib/libcrypto.so.0.9.7 (0x4047b000)<BR>
libom_fmem.so => /opt/scalix/lib/libom_fmem.so (0x4056b000)<BR>
libom_acf.so => /opt/scalix/lib/libom_acf.so (0x40570000)<BR>
libom_cvr.so => /opt/scalix/lib/libom_cvr.so (0x40575000)<BR>
libom_ct.so => /opt/scalix/lib/libom_ct.so (0x40589000)<BR>
libom_bb.so => /opt/scalix/lib/libom_bb.so (0x405cc000)<BR>
libom_rtfl.so => /opt/scalix/lib/libom_rtfl.so (0x405e1000)<BR>
libom_isl.so => /opt/scalix/lib/libom_isl.so (0x405f2000)<BR>
libom_nf.so => /opt/scalix/lib/libom_nf.so (0x405fc000)<BR>
libom_nfda.so => /opt/scalix/lib/libom_nfda.so (0x40602000)<BR>
libom_nsl.so => /opt/scalix/lib/libom_nsl.so (0x40607000)<BR>
libom_exual.so => /opt/scalix/lib/libom_exual.so (0x4060d000)<BR>
<BR>
</BLOCKQUOTE>
<BR>
Stunnel version information is as follows:<BR>
<BR>
<BLOCKQUOTE>
stunnel 4.05 on i686-suse-linux-gnu PTHREAD with OpenSSL 0.9.7d 17 Mar 2004<BR>
<BR>
Global options<BR>
cert = /etc/stunnel/stunnel.pem<BR>
ciphers = ALL:!ADH:+RC4:@STRENGTH<BR>
debug = 5<BR>
key = /etc/stunnel/stunnel.pem<BR>
pid = /var/run/stunnel.pid<BR>
RNDbytes = 64<BR>
RNDfile = /dev/urandom<BR>
RNDoverwrite = yes<BR>
session = 300 seconds<BR>
verify = none<BR>
<BR>
Service-level options<BR>
TIMEOUTbusy = 300 seconds<BR>
TIMEOUTclose = 60 seconds<BR>
TIMEOUTidle = 43200 seconds<BR>
<BR>
</BLOCKQUOTE>
Stunnel is running in stand-alone mode and is being started without any parameters that i am aware of, i just used the init script supplied SuSE for their Enterprise 9 server product. <BR>
<BR>
<BR>
Output of "stunnel -f -D 7 is:<BR>
<BR>
<BLOCKQUOTE>
msp1intmx01:~ # stunnel -f -D 7<BR>
2005.04.29 08:27:24 LOG3[3326:1076392064]: -f: No such file or directory (2)<BR>
<BR>
</BLOCKQUOTE>
Output of "stunnel -V is:<BR>
<BR>
<BLOCKQUOTE>
msp1intmx01:~ # stunnel -V<BR>
2005.04.29 08:30:49 LOG3[3368:1076392064]: -V: No such file or directory (2)<BR>
</BLOCKQUOTE>
Output of "uname -a"<BR>
<BR>
<BLOCKQUOTE>
msp1intmx01:~ # uname -a<BR>
Linux msp1intmx01 2.6.5-7.151-smp #1 SMP Fri Mar 18 11:31:21 UTC 2005 i686 i686 i386 GNU/Linux<BR>
</BLOCKQUOTE>
<BR>
Libc version is 2.3.3<BR>
<BR>
Output of "gcc -v"<BR>
<BR>
<BLOCKQUOTE>
msp1intmx01:~ # gcc -v<BR>
Reading specs from /usr/lib/gcc-lib/i586-suse-linux/3.3.3/specs<BR>
Configured with: ../configure --enable-threads=posix --prefix=/usr --with-local-prefix=/usr/local --infodir=/usr/share/info --mandir=/usr/share/man --enable-languages=c,c++,f77,objc,java,ada --disable-checking --libdir=/usr/lib --enable-libgcj --with-gxx-include-dir=/usr/include/g++ --with-slibdir=/lib --with-system-zlib --enable-shared --enable-__cxa_atexit i586-suse-linux<BR>
Thread model: posix<BR>
gcc version 3.3.3 (SuSE Linux)<BR>
<BR>
</BLOCKQUOTE>
Openssl version is:<BR>
<BR>
<BLOCKQUOTE>
msp1intmx01:~ # openssl version<BR>
OpenSSL 0.9.7d 17 Mar 2004<BR>
</BLOCKQUOTE>
<BR>
<BR>
Regards,<BR>
<BR>
<BR>
<BR>
<BR>
<BR>
<TABLE CELLSPACING="0" CELLPADDING="0" WIDTH="100%">
<TR>
<TD>
<PRE>
--
Michael W. Partyka
Jumpnode Systems, LLC
Systems Administrator
612.605.5056 Desk
651.208.5734 Cell
</PRE>
</TD>
</TR>
</TABLE>
</BODY>
</HTML>